Data protection screening
We suggest every company to carry out a due diligence regarding its each and any data management process to find out whether it corresponds with the new regulations of the GDPR or not. Thus, the deficiencies can be easily explored.
Compliance with the law
Based on the problems identified during the due diligence, the preparation of documents or any other action can be started that are obligatory or – if requested – recommended by the GDPR.
Data protection coaching
In 2018, a new regulation enters into force in the European Union. Following a four-year-long negotiation, a stricter regulation has been introduced, which will result in radical changes regarding Hungary. The GDPR (General Data Protection Regulation) will replace the former data protection directive. The change of direction is evident as while a directive needs to be implanted into the legal system of each and every member state separately, a regulation is to be applied directly. The reform was designed to harmonize data protection laws, to adjust data protection regulations to the current technology and to provide a higher level of personal data protection. In result the citizens of the European Union will be protected by a coherent, solid data protection regulation.
The GDPR establishes a direct liability rule for data processors. Companies must keep an internal, written record about their data processing activities. In specified cases EU representatives or data protection officers must be assigned to companies, furthermore they are obliged to notify the authorities in case of data breaches.
Data controllers carrying out activities classified as high risk (such as using new technologies) must establish effective and focused procedural rules and, correspondingly, carry out an assessment of the impact of the envisaged processing operations to identify the risks and their probability, in particular regarding the large-scale data processing.
The field of data breaches will be re-regulated. The processor is obliged to notify the authorities about any breach within 72 hours, unless it has zero risk. In some cases, notification of the data subjects will also be necessary.
In certain circumstances the company must assign a data protection officer. It is obligatory by law when the data processing is performed by a public authority or body, or when the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
According to the GDPR, data controllers shall take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, but if requested by the data subject, the information may be provided orally.
It follows from the principle of accountability – laid down by the GDPR – that companies processing data shall have an internal data protection policy which establishes all the technical and organizational standards that are not only compatible with the legislation in force but also tailor-made for the given company.
When it comes to data controllers, the GDPR tightens the rules of liability. Amongst other obligations, data controllers shall keep straight records of data processing, perform impact assessment regarding high-risk activities and should deliberately pursue, the application of general data protection principles, such as data minimalization.
The principle of fair and transparent data processing is in the main focus of the GDPR. Consequently, the rights of the data subject must be assured right from the first recording of data. It is important to highlight at this point that the current information about these rights needs to be revised since the GDPR establishes additional requirements for data controllers and also guarantees additional rights to data subjects.
In favor of enforcing the community law, the PSC-system will be established in the field of data protection, meaning that only one office will act as supervisor. This will not only fasten the data protection procedures but also promises consistent decision-making. For example, large enterprises operating in multiple countries will be supervised by only one national data protection authority (DPA). The DPA will be determined by the seat of the undertaking. This new system should reduce the administrative costs and make the territorial diversion easier.
The GDPR establishes stricter sanctions in case of data protection violations. After the new regulation becomes applicable in 2018, it will impose penalties on companies incompatible with the requirements of the GDPR up to EUR 20 million or 4% of their annual turnover.
As of May 2018, the GDPR will cover not only the EU based companies, but those with any activity concerning EU citizens. Such data controllers and processors will have to name a representative within the EU.
According to the GDPR, the data subject’s consent will remain the general legal basis for data processing. Data processing should be managed that the data subject could withdraw their consent anytime. The GDPR highlights that in case of direct marketing, the data subject shall be informed specifically about their right to object.